Selinux going crazy in 2.6.34-rc0

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Selinux going crazy in 2.6.34-rc0
@ 2010-03-06 10:29 Dmitry Torokhov
  2010-03-06 10:49 ` Al Viro
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Torokhov @ 2010-03-06 10:29 UTC (permalink / raw)
  To: LKML; +Cc: James Morris

Hi,

Selinux generates insane amounts of denial messages like the following
over and over again:

type=SYSCALL msg=audit(1267870752.587:23084): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267870752.587:23085): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1267870752.587:23085): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267870752.587:23086): avc:  denied  { read } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1267870752.587:23086): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267870752.587:23087): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1267870752.587:23087): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)

This is on updated Fedora 12, commit 64096c17417380d8a472d096645f4cbc9406c987.
2.6.33-rc8-ish works fine.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Selinux going crazy in 2.6.34-rc0
  2010-03-06 10:29 Selinux going crazy in 2.6.34-rc0 Dmitry Torokhov
@ 2010-03-06 10:49 ` Al Viro
  2010-03-06 17:27   ` Dmitry Torokhov
  0 siblings, 1 reply; 5+ messages in thread
From: Al Viro @ 2010-03-06 10:49 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: LKML, James Morris

On Sat, Mar 06, 2010 at 02:29:19AM -0800, Dmitry Torokhov wrote:
> Hi,
> 
> Selinux generates insane amounts of denial messages like the following
> over and over again:
 
> type=SYSCALL msg=audit(1267870752.587:23084): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267870752.587:23085): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> type=SYSCALL msg=audit(1267870752.587:23085): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267870752.587:23086): avc:  denied  { read } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> type=SYSCALL msg=audit(1267870752.587:23086): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267870752.587:23087): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> type=SYSCALL msg=audit(1267870752.587:23087): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
 
Interesting...  That smells like a selinux policy that needed recognition
of inotify file descriptors and got b0rken by
commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
that switched inotify to use of anon_inodes.  Could you check if that's the
trigger?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Selinux going crazy in 2.6.34-rc0
  2010-03-06 10:49 ` Al Viro
@ 2010-03-06 17:27   ` Dmitry Torokhov
  2010-03-06 17:41     ` Al Viro
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Torokhov @ 2010-03-06 17:27 UTC (permalink / raw)
  To: Al Viro; +Cc: LKML, James Morris

On Sat, Mar 06, 2010 at 10:49:46AM +0000, Al Viro wrote:
> On Sat, Mar 06, 2010 at 02:29:19AM -0800, Dmitry Torokhov wrote:
> > Hi,
> > 
> > Selinux generates insane amounts of denial messages like the following
> > over and over again:
>  
> > type=SYSCALL msg=audit(1267870752.587:23084): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1267870752.587:23085): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> > type=SYSCALL msg=audit(1267870752.587:23085): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1267870752.587:23086): avc:  denied  { read } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> > type=SYSCALL msg=audit(1267870752.587:23086): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1267870752.587:23087): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> > type=SYSCALL msg=audit(1267870752.587:23087): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
>  
> Interesting...  That smells like a selinux policy that needed recognition
> of inotify file descriptors and got b0rken by
> commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
> that switched inotify to use of anon_inodes.  Could you check if that's the
> trigger?

Yep, that was it. With this commit reverted selinux stays quiet.
Well, almost, it is never completely quiet ;).

Thank you Al.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Selinux going crazy in 2.6.34-rc0
  2010-03-06 17:27   ` Dmitry Torokhov
@ 2010-03-06 17:41     ` Al Viro
  2010-03-08  1:25       ` Eric Paris
  0 siblings, 1 reply; 5+ messages in thread
From: Al Viro @ 2010-03-06 17:41 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: LKML, James Morris

On Sat, Mar 06, 2010 at 09:27:27AM -0800, Dmitry Torokhov wrote:

> > Interesting...  That smells like a selinux policy that needed recognition
> > of inotify file descriptors and got b0rken by
> > commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
> > that switched inotify to use of anon_inodes.  Could you check if that's the
> > trigger?
> 
> Yep, that was it. With this commit reverted selinux stays quiet.
> Well, almost, it is never completely quiet ;).
> 
> Thank you Al.

Hrm...  Folks, does anybody have suggestions on what to do about that one?
I can revert that thing, of course, but I wonder what's really going on
in the policy that triggers that spew...

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Selinux going crazy in 2.6.34-rc0
  2010-03-06 17:41     ` Al Viro
@ 2010-03-08  1:25       ` Eric Paris
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Paris @ 2010-03-08  1:25 UTC (permalink / raw)
  To: Al Viro; +Cc: Dmitry Torokhov, LKML, James Morris, sds, davidel

On Sat, Mar 6, 2010 at 12:41 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Sat, Mar 06, 2010 at 09:27:27AM -0800, Dmitry Torokhov wrote:
>
>> > Interesting...  That smells like a selinux policy that needed recognition
>> > of inotify file descriptors and got b0rken by
>> > commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
>> > that switched inotify to use of anon_inodes.  Could you check if that's the
>> > trigger?
>>
>> Yep, that was it. With this commit reverted selinux stays quiet.
>> Well, almost, it is never completely quiet ;).
>>
>> Thank you Al.
>
> Hrm...  Folks, does anybody have suggestions on what to do about that one?
> I can revert that thing, of course, but I wonder what's really going on
> in the policy that triggers that spew...

That is certainly an interesting little thing I never thought about
and I'm both an SELinux and inotify maintainer so no surprise noone
else thought about it either!  SELinux defines rules which label
different filesystem types with different default labels such as an
nfs filesystem would be nfs_t and an tmpfs would be tmpfs_t.  Inotify
was using it's own filesystem an applications which used inotify got
rules like so:

   allow policykit_t inotifyfs_t : dir { ioctl read getattr lock
search open } ;

Now that we switch inotify to use generic anon inode code rather than
duplicate creating it's own filesystem type for a single inode we
screwed up those rule types.  I'm trying to thing of a good solution
and the only two things come to mind:

a) revert the change and any others that switches things to anon
inodes from their own private fs (were there others?)
b) allow multiple anonymous inodes with differing security contexts,
possibly one inode per anon inodefs "class" would be sufficient to
allow for fine grained security controls over anon inode subsystems?
I haven't looked closely, but that seems like a reasonable trade off
between fine grained security and memory usage....

-Eric

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-03-08  1:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-06 10:29 Selinux going crazy in 2.6.34-rc0 Dmitry Torokhov
2010-03-06 10:49 ` Al Viro
2010-03-06 17:27   ` Dmitry Torokhov
2010-03-06 17:41     ` Al Viro
2010-03-08  1:25       ` Eric Paris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox